Re: privileged user in RedHat

Liste des GroupesRevenir à col misc 
Sujet : Re: privileged user in RedHat
De : gtaylor (at) *nospam* tnetconsulting.net (Grant Taylor)
Groupes : comp.os.linux.misc
Date : 30. Aug 2024, 03:28:12
Autres entêtes
Organisation : TNet Consulting
Message-ID : <varans$5b0$2@tncsrv09.home.tnetconsulting.net>
References : 1 2
User-Agent : Mozilla Thunderbird
On 8/28/24 02:53, 186282@ud0s4.net wrote:
Root has access to EVERYTHING
I question the veracity of that.
Especially when you consider different name spaces; mount, network, etc.
Root should always have the ability to gain access to something.  But I can think of various scenarios where root doesn't inherently have access to things.
A simple example is an immutable file which root can't remove without disabling the immutability first.

(note that 'sudo' kinda breaks this security measure, so research and set it CAREFULLY). You do NOT have to use 'visudo' ... but then it's on YOU to get it 100% right.

Anything 'vi' I tend to REMOVE because I find line-editors SO offensive these days.
So set EDITOR and / or VISUAL and / or FCEDIT to your preferred editor. visudo will happily use them.  Or live dangerously.

The SYSTEM doesn't really care about the ID numbers.
There are some things that check to see if a UID and / or GID is below a threshold for various reasons.

While there are terminal-line utilities, you can also edit /etc/groups and /etc/passwd using something like 'nano' and add/remove users from the privileges of the root user. DO be CAREFUL ! Get it right. Plenty of docs on the net.
Don't forget to edit the shadow counterparts; /etc/gshadow and /etc/shadow respectively.  Lest some tools get cranky when files and their shadows don't match.
ProTip:  Use tools, like visud -- configured to use your preferred editor -- as they often sanity check file syntax and / or synchronize other files and generally try to help you.
I've learned that the more you're fighting the system, the more likely that you're doing something wrong or shouldn't be doing for some reason.

As for 'sudo' ... there ARE ways to force it to require the ROOT password instead of the regular USER password. This is much more secure.
How is having multiple users knowing a shared password more secure than each user only knowing their own password?

Oh, Raspberry Pi's ... 'sudo' often requires NO password. NOT great.
Agreed.  But that's a distribution configuration, not a software requirement.
Upstream sudo will ask for the running user's password.  The intention is for the running user to authenticate themselves to sudo and then sudo allows or disallows them to do what they've asked to do based on the configuration of the sudoers file.
--
Grant. . . .

Date Sujet#  Auteur
1 Jul 25 o 

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal